From b1185573e31f08d4d37ae763b5d7e7f0a37e1244 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 5 May 2020 14:40:09 +0200
Subject: [PATCH] ipa_auth and krb5_auth: when providing wrong password return
PAM_AUTH_ERR
When providing a wrong password for an existing IPA user, return PAM_AUTH_ERR (authentication failure) instead of PAM_CRED_ERR (failure setting user credentials). In order to do that it is necessary to translate PAM_CRED_ERR to PAM_AUTH_ERR once the providers are done.
Resolves:
https://github.com/SSSD/sssd/issues/5139
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 49b9ca15866f59d6e3c1b572545d1b9e76625892)
---
src/providers/ipa/ipa_auth.c | 16 ++++++++++++++++
src/providers/krb5/krb5_auth.c | 8 ++++++++
2 files changed, 24 insertions(+)
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 1bd017721..2858eb4f5 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -271,6 +271,14 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq)
return;
}
+ /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
+ * password migration would make sense. From this point on it isn't
+ * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
+ */
+ if (state->pd->pam_status == PAM_CRED_ERR) {
+ state->pd->pam_status = PAM_AUTH_ERR;
+ }
+
done:
/* TODO For backward compatibility we always return EOK to DP now. */
tevent_req_done(req);
@@ -312,6 +320,14 @@ static void ipa_pam_auth_handler_flag_done(struct tevent_req *subreq)
return;
}
+ /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
+ * password migration would make sense. From this point on it isn't
+ * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
+ */
+ if (state->pd->pam_status == PAM_CRED_ERR) {
+ state->pd->pam_status = PAM_AUTH_ERR;
+ }
+
done:
/* TODO For backward compatibility we always return EOK to DP now. */
tevent_req_done(req);
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 9a9250434..6ab39547f 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1293,6 +1293,14 @@ static void krb5_pam_handler_auth_done(struct tevent_req *subreq)
state->pd->pam_status = PAM_SYSTEM_ERR;
}
+ /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
+ * password migration would make sense. From this point on it isn't
+ * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
+ */
+ if (state->pd->pam_status == PAM_CRED_ERR) {
+ state->pd->pam_status = PAM_AUTH_ERR;
+ }
+
/* TODO For backward compatibility we always return EOK to DP now. */
tevent_req_done(req);
}
--
2.21.1